Patch Tuesday January 2018

Feb 16, 2018

This month’s Patch Tuesday is one of the most interesting in a while. Not just because the patches Microsoft was preparing for release today came a week early, but also because of the potential issues these patches might cause.

Patch Tuesday came early this month on January 3rd because details of several serious processor vulnerabilities were leaked. Cumulative updates were released for Windows 10, Windows Server 2016, Internet Explorer, Edge, and SQL Server. Security-only patches were released for Windows 7, Windows 8.1, Windows Server 2008 R2, and Windows Server 2012 R2. The Windows 10 updates include fixes for 35 CVEs, three of which are for 2017 CVEs relating to the speculative execution side-channel processor vulnerabilities.

Here is a complete list of the updates released on January 3rd that address the three speculative execution side-channel vulnerabilities. Full information about each patch and the fixes included are contained in the link for each KB article.

Windows Server 2008 R2 Service Pack 1, Windows Server 2012 R2, and Windows Server 2016 are patched against all three speculative execution side-channel vulnerabilities. Windows Server 2008 and 2012 have not been patched but Microsoft has said that patches should be made available soon. For more information on when Windows Server 2008 SP2 and Windows Server 2012 will be patched, check Microsoft’s website here. The patch for CVE-2017-5754 is only supported on 64-bit systems at this time.

CVE-2017-5715 requires new firmware with updated microcode for the processor. You should contact your device manufacturer to see if an update has been issued. Browsers also need to be hardened, so if you are not using Internet Explorer or Microsoft Edge, make sure you check that your browser is up-to-date. At the time of writing, Google is yet to patch Chrome.

PowerShell Speculation Control Module

If you want to check whether your systems are fully patched against CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754, including a microcode update for the processor, you can the SpeculationControl PowerShell module on Windows 10 as shown below:

For earlier versions of Windows and the Windows Management Framework (WMF), you can download the SpeculationControl module from Microsoft’s website here. Unzip the downloaded file to the working directory before and then use Import-Module to import the module.

Import-Module .SpeculationControl.psd1

AV Software Compatibility

Not all antivirus software is compatible with the patch and Microsoft suggests that you check that your AV software vendor has set ALLOW REG in the registry. The QualityCompat registry key should be set by the AV vendor as shown in the screenshot below. If not, Windows will not install the patch.

Kevin Beaumor is keeping a list of AV software that’s been updated for compatibility with the patch here.

AMD Processors

On the back reports that users with some AMD processors cannot boot Windows after applying the patch, Microsoft pulled the updates released January 4th for AMD processors. Users experienced blue screen errors 0x000000C4 and 0x800F0845 and couldn’t restore their devices via the usual methods. Microsoft has blamed AMD for not conforming ‘to the documentation previously provided to Microsoft to develop the Windows operating system mitigations to protect against the chipset vulnerabilities known as Spectre and Meltdown.’

Performance

There were initial worries that some workloads could see a slowdown of up to 30 percent but initial performance testing was carried out on Linux. Microsoft has since provided more information on the potential performance impact and as you might expect, the patches affect performance more on older processors. For more information on the potential performance impact, see Microsoft Outlines Performance Impacts of Meltdown and Spectre Patching on Petri.

Other Fixes for Windows 10

The cumulative updates for Windows 10 version 1703 and 1709 include fixes for the following products:

Internet Explorer

Microsoft Edge

Microsoft Windows

Microsoft Office and Microsoft Office Services and Web Apps

SQL Server

ChakraCore

.NET Framework

.NET Core

ASP.NET Core

Adobe Flash

Actual Patch Tuesday

Finally, I get to what Microsoft released recently. As expected, Microsoft issued patches for .NET Framework and .NET Core. These patches were already part of the cumulative updates made available for Windows 10 on January 3rd but are now available for all supported versions of Windows. These updates resolve a vulnerability where .NET Framework and .NET Core fail to validate certificates. Before applying the update, make sure certificates are set up correctly with EKU OID attributes. For more information, see KB4055269.

Sponsored

Updates for Microsoft Office 2007, 2010, 2013, and 2016 are also available. The updates resolve 4 CVEs: CVE-2018-0793, CVE-2018-0794, CVE-2018-0797, and CVE-2018-0798, which include three remote code vulnerabilities and two memory corruption vulnerabilities.